Export-SqlSpnRegistrationScript

Export-SqlSpnRegistrationScript Renders a SPN plan into a clean setspn command bundle for an AD admin to run.

Read / Write Pipeline-friendly SqlSpnManager v1.4.0

Description

Many organisations separate DBA duties from AD write rights (regulated environments, anywhere with strict role separation). In those shops the dominant workflow is: DBA prepares the SPN registration, hands a script to a sysadmin / AD admin, who executes it from an account with the right ACEs. Without this command, the DBA hand-crafts setspn lines, frequently with mistakes that come back as AD-admin round-trips. DR-311 records the decision to add this command for that workflow.

Takes the output of New-SqlSpnPlan via pipeline, emits a clean, executable bundle (Windows .cmd or PowerShell .ps1) containing one setspn -S line per ProposedSpn in the plan. Cross-forest plans include the -T flag on every line.

The bundle's header carries provenance: the SqlSpnManager module version, the plan's PlanGuid, the UTC generation stamp, and the target account's sAMAccountName + DistinguishedName. The AD admin can prove which command on which plan produced what they ran.

Returns the bundle as a string array (one line per element) when -Path is omitted, or writes it to the file at -Path and returns the resolved path. Either way, no SPN registration happens - the actual setspn calls only fire when the bundle is executed by whoever has the AD rights.

Recipes

Recipe 1

EXAMPLE 1

$plan = New-SqlSpnPlan -VerifiedAccount $acct -Infrastructure $infra -Role Engine
$plan | Export-SqlSpnRegistrationScript -Path '.\register-svc_sql_prod.cmd'

Recipe 2

EXAMPLE 2

New-SqlSpnPlan -VerifiedAccount $acct -Infrastructure $infra -Role Engine |
    Export-SqlSpnRegistrationScript -Format PowerShell |
    Set-Clipboard

Notes

The bundle's setspn invocations use the canonical -S form (DR-301). For cross-forest registrations (Plan.CrossForest = $true), every line carries -T <Plan.TargetDomain> per the engine's existing convention. For Agent and other RequireSpn=$false roles, New-SqlSpnPlan returns $null upstream and this command emits a header-only bundle noting no SPNs were proposed - honest about the no-op, not a silent skip.

Parameters

-Plan required PSObject pipeline

Output of New-SqlSpnPlan. Must carry PlanGuid, AccountDn, AccountName, and ProposedSpns. Pipeline-friendly (ValueFromPipeline).

-Format optional String

Output dialect: Cmd (Windows .cmd batch syntax, matching KCM's familiar Generate output) or PowerShell (.ps1 syntax for shops that execute via Invoke-Command from a PowerShell session). Defaults to Cmd because that is the historic SPN-handoff convention.

-Path optional String

Optional output file path. If specified, the bundle is written to this path (UTF-8, no BOM) and the resolved path is returned. If omitted, the bundle is emitted to the pipeline as a string array.

Was this page helpful? Report an issue or suggest an improvement →